Who Should HIPAA Complaints be Directed to within the Covered Entity?


If a workforce is trained properly in HIPAA compliance, they should be able to identify violations of HIPAA. Additionally, patients who have concerns about HIPAA compliance should be able to file a complaint with the Covered Entity that holds their data. But who should HIPAA complaints be directed to within a Covered Entity? Who is responsible for overseeing the complaints procedure, keeping a tally of the concerns of the workforce and customers? 

HIPAA is primarily concerned with maintaining the security and privacy of patient Protected Health Information (PHI). It has a number of rules that stipulates how the PHI can be used, who can access it, and what technical, administrative, and physical safeguards must be in place to ensure PHI remains secure. 

However, the Act stipulates several other requirements that may not immediately seem related to the security of PHI, but are essential in preventing HIPAA violations. For example, HIPAA requires that all of a CE’s employees are regularly trained in HIPAA compliance, and that all new employees are trained within a reasonable period of their start date. 

Another requirement, stipulated by the XXX Rule, is that all Covered Entities appoint a HIPAA Privacy Officer and a HIPAA Security Officer. In some smaller organizations, these may not be separate positions but rather combined into a single “HIPAA Compliance Officer”. 

Among other things, these HIPAA Officers will be the point of contact for any employee, patient, or customer that has concerns about HIPAA violations within the CE. All CEs should have an easy-to-use complaints procedure, overseen by the Compliance Officer, that encourages the reporting of HIPAA complaints. This is important, as it can help to ensure that any violations are handled in a quick manner, potentially mitigating any negative consequences.

The HIPAA Officer can then assess these complaints and, where needed, come up with a corrective action plan or escalate the complaint if needed. If the complaint was genuine, and actually the result of a HIPAA violation, it should be reported to the Department of Health and Human Services, who may seek to issue their own corrective action plans. 

It is important that employees are encouraged to report all manners of HIPAA complaints, not just those that are direct violations of HIPAA. This can include “near misses”, where a violation almost occurred. Doing so helps a CE identify where it may be at-risk of committing an actual violation.